Runtime security-corpus gate for the Phase 21 scheduled-refresh path per D-21.

Every existing security-corpus fixture acts as a refusal trigger on the scheduled path. If freshly-fetched metadata trips a known-bad shape (xml-crypto 2025 signature-wrapping family, PortSwigger Fragile-Lock namespace-confusion shapes, etc.), this gate refuses the apply with {:error, %Relyra.Error{type: :corpus_violation}} so the wrapper sets auto_suspended_reason: :corpus_violation per the LOCKED enum.

The corpus manifest physically lives at priv/security_corpus.json so both this runtime gate AND the test corpus reader at test/security/xml/corpus_security_test.exs can read the same source of truth without crossing the lib/test boundary in either direction.

Detection model

The gate evaluates the candidate XML against byte-level refusal shapes derived from each manifest fixture's expected_error_type. The pre-parse refusal shapes (:doctype_forbidden, :entity_expansion_forbidden, :payload_too_large) catch the trust-boundary attacks the gate is responsible for at the metadata-XML byte level — these are the same pre-parse early-rejection conditions the hardened parser (Relyra.Security.XML.PureBeam) already enforces, but routed through the Phase-21 :corpus_violation typed error so the wrapper can set the matching auto_suspended_reason.

Pure: no Repo, no Req, no telemetry. Reads priv/security_corpus.json once at compile time (a @manifest module attribute).